---
title: istio.v1.auth
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 4
---
<h2 id="Services">Services</h2>
<h3 id="IstioCAService">IstioCAService</h3>
<section>
<p>Service definition of IstioCAService that can dynamically verify the CSR for
service identities for Istio services running on various platforms and
approve or disapprove the request after verifying the Node Agent credentials
provided as a part of the Request.</p>

<pre id="IstioCAService-HandleCSR"><code class="language-proto">rpc HandleCSR(CsrRequest) returns (CsrResponse)
</code></pre>
<p>A request object includes a PEM-encoded certificate signing request that
is generated on the Node Agent. Additionally credential can be attached
within the request object for a server to authenticate the originating
node agent.</p>

</section>
<h2 id="Types">Types</h2>
<h3 id="CsrRequest">CsrRequest</h3>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="CsrRequest-csr_pem">
<td><code>csrPem</code></td>
<td><code>bytes</code></td>
<td>
<p>PEM-encoded certificate signing request</p>

</td>
</tr>
<tr id="CsrRequest-node_agent_credential">
<td><code>nodeAgentCredential</code></td>
<td><code>bytes</code></td>
<td>
<p>opaque credential for node agent</p>

</td>
</tr>
<tr id="CsrRequest-credential_type">
<td><code>credentialType</code></td>
<td><code>string</code></td>
<td>
<p>type of the node<em>agent</em>credential (aws/gcp/onprem/custom&hellip;)</p>

</td>
</tr>
<tr id="CsrRequest-requested_ttl_minutes">
<td><code>requestedTtlMinutes</code></td>
<td><code>int32</code></td>
<td>
<p>the requested ttl of the certificate in minutes</p>

</td>
</tr>
</tbody>
</table>
</section>
<h3 id="CsrResponse">CsrResponse</h3>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="CsrResponse-is_approved">
<td><code>isApproved</code></td>
<td><code>bool</code></td>
<td>
<p>Whether the CSR is approved.</p>

</td>
</tr>
<tr id="CsrResponse-status">
<td><code>status</code></td>
<td><code><a href="#google-rpc-Status">google.rpc.Status</a></code></td>
<td>
</td>
</tr>
<tr id="CsrResponse-signed_cert">
<td><code>signedCert</code></td>
<td><code>bytes</code></td>
<td>
<p>The signed target cert.</p>

</td>
</tr>
<tr id="CsrResponse-cert_chain">
<td><code>certChain</code></td>
<td><code>bytes</code></td>
<td>
<p>The cert chain up to the trusted root cert. It includes all the certs between the
newly signed cert and the root cert.</p>

</td>
</tr>
</tbody>
</table>
</section>
<h3 id="google-rpc-Status">google.rpc.Status</h3>
<section>
<p>The <code>Status</code> type defines a logical error model that is suitable for different
programming environments, including REST APIs and RPC APIs. It is used by
<a href="https://github.com/grpc">gRPC</a>. The error model is designed to be:</p>

<ul>
<li>Simple to use and understand for most users</li>
<li>Flexible enough to meet unexpected needs</li>
</ul>

<h4 id="overview">Overview</h4>

<p>The <code>Status</code> message contains three pieces of data: error code, error message,
and error details. The error code should be an enum value of
<em>google.rpc.Code</em>, but it may accept additional error codes if needed.  The
error message should be a developer-facing English message that helps
developers <em>understand</em> and <em>resolve</em> the error. If a localized user-facing
error message is needed, put the localized message in the error details or
localize it in the client. The optional error details may contain arbitrary
information about the error. There is a predefined set of error detail types
in the package <code>google.rpc</code> that can be used for common error conditions.</p>

<h4 id="language-mapping">Language mapping</h4>

<p>The <code>Status</code> message is the logical representation of the error model, but it
is not necessarily the actual wire format. When the <code>Status</code> message is
exposed in different client libraries and different wire protocols, it can be
mapped differently. For example, it will likely be mapped to some exceptions
in Java, but more likely mapped to some error codes in C.</p>

<h4 id="other-uses">Other uses</h4>

<p>The error model and the <code>Status</code> message can be used in a variety of
environments, either with or without APIs, to provide a
consistent developer experience across different environments.</p>

<p>Example uses of this error model include:</p>

<ul>
<li><p>Partial errors. If a service needs to return partial errors to the client,
it may embed the <code>Status</code> in the normal response to indicate the partial
errors.</p></li>

<li><p>Workflow errors. A typical workflow has multiple steps. Each step may
have a <code>Status</code> message for error reporting.</p></li>

<li><p>Batch operations. If a client uses batch request and batch response, the
<code>Status</code> message should be used directly inside batch response, one for
each error sub-response.</p></li>

<li><p>Asynchronous operations. If an API call embeds asynchronous operation
results in its response, the status of those operations should be
represented directly using the <code>Status</code> message.</p></li>

<li><p>Logging. If some API errors are stored in logs, the message <code>Status</code> could
be used directly after any stripping needed for security/privacy reasons.</p></li>
</ul>

<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="google-rpc-Status-code">
<td><code>code</code></td>
<td><code>int32</code></td>
<td>
<p>The status code, which should be an enum value of <em>google.rpc.Code</em>.</p>

</td>
</tr>
<tr id="google-rpc-Status-message">
<td><code>message</code></td>
<td><code>string</code></td>
<td>
<p>A developer-facing error message, which should be in English. Any
user-facing error message should be localized and sent in the
<a href="#google-rpc-Status-details">google.rpc.Status.details</a> field, or localized by the client.</p>

</td>
</tr>
<tr id="google-rpc-Status-details">
<td><code>details</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#any">google.protobuf.Any[]</a></code></td>
<td>
<p>A list of messages that carry the error details.  There is a common set of
message types for APIs to use.</p>

</td>
</tr>
</tbody>
</table>
</section>
